We have just released WPML 4.6.1, which includes an important security fix. We strongly recommend updating WPML to the latest version on all your websites as soon as possible.
In the meantime, we have released WPML 4.6.2 which resolves an issue with PHP 5.6 compatibility.
Two days ago, we received a report about an XSS vulnerability in WPML. Due to security reasons, we cannot provide further details at this time.
While we don’t know of any sites that have been affected, we always advise updating WPML whenever a new release addresses security issues – big or small.
All you need to do is update all your sites running WPML to the latest version, WPML 4.6.1.
How to Update to WPML 4.6.1
The latest versions of WPML plugins you should update to:
- WPML Multilingual CMS 4.6.1
- WPML String Translation 3.2.4 (if your site is using it)
- WPML Media Translation 2.7.2 (if your site is using it)
We have rolled out WPML 4.6.1 to all sites, so you should be able to see the update by simply going to the Plugins page in the WordPress admin area.
It takes 24 hours since we release the plugins for updates to reach all of the sites.
If you don’t see WPML 4.6.1 available there, go to Plugins → Add New and click on the Commercial tab. Then, click the Check for updates button, and the update should appear in the list of available items.
Alternatively, you can manually update WPML on your site. To do this, log into your WPML account, go to the Downloads page, get WPML 4.6.1, and upload it to your site.
How to Report Security Issues to Us
We always handle security issues with the highest priority.
If you ever encounter or learn about a potential security issue in any of our plugins, please let us know using our form for reporting security and vulnerability issues.
Upcoming WordPress 6.2 Release
On a side note, WordPress 6.2 is set to be released on March 28th. Rest assured, we’ll have another update ready for you before it’s out to prevent any compatibility issues with your site.
What’s New in WPML 4.6
If you haven’t updated your site to WPML 4.6 before, read the announcement post to catch up on new features and improvements.
Questions or Feedback?
If you have any questions, feedback, or concern, please let us know in the comments below. We’ll be happy to respond!
Does it also affect versions prior to 4.6?
Hi, Fabio! Yes, it affects all prior versions, including WPML 4.6 itself.
Where can I download the new version? Pls send a link. Thx.
You can find all of the WPML plugins in your WPML account or you can install only the OTGS Installer plugin and then you will see the Commercial tab.
Hi Dario, can’t see any update notification on the plugin page.
I have installed:
– WPML Media 2.7.1
– WPML Multilingual CMS 4.5.14
– WPML String Translation 3.2.3
None of them have an update notification.
Is this ok?
Hello Anna,
have you tried the steps we recommend in the post?
Hi Agnes,
I followed the recommended steps and it worked. Thank you!
My website has 3 languages, now only one can be shown.
In plug-in description: Auto-updates enabled. What does it mean? Should each update be set up by myself or it happens automatically?
I have clicked on plugins-> Add New. But I can’t see Commercial. What should I do? Will my website be normal again after 24hours?
Hello Maggie, if you cannot see the Commercial tab (and you can see only one language instead of 3) makes me feel you have the main WPML plugin deactivated. If you didn’t do so it can be a problem on your site (sometimes plugins get deactivated automatically in case of errors). If you are not sure what happened and what to do, please go to our support forum and report this issue.
For each of your WordPress plugins, you can enable or disable automatic updates and the option to control this is available next to the plugin description, as you say. It means that as soon as that update (the new release of the plugin) is available on your site, your plugin will be automatically updated (and you don’t need to click anything).
Hello Agnes,
Many thanks for your reply.
In WP account, WPML multilingual CMS doesn’t appear any more in Installed Plugins. I try to search it in Add New, still can’t find it.
What’s going wrong and what should I do?
In Add New, I only see 4 options: Featured, Popular, Recommended, Favorit. What does you mean with Commercial?
If you cannot see the WPML multilingual CMS plugin on your list of installed plugins, it means someone removed it. You would need to install it again. Please follow this guide: https://wpml.org/faq/install-wpml/#first-install
Ist this different to WPML Multilingual CMS 4.5.14?
Ah, since 4.5.14 there are no updates visible. Just with the workaround. 🙁 And WPML ist WPML Multilingual CMS.
You are right – “WPML Multilingual CMS” is the full name of the core WPML plugin. Glad to hear that the workaround has helped.
WPML 4.6 introduced:
– Improved bulk auto-translation flow
– New Language Switcher block
– Ability to use SVG flags for the language switcher
– Ability to select language formality for DeepL
Please check the full list in the 4.6 announcement post.
4.6.1 (compared with 4.6) includes only an important security fix
Now I’m worried. Same as last time when you sent out an email about an important update: As of now, March 16th at 16:24 UTC, there is no WPML update available. I am on automatic updates from wordpress.org and I can’t get any newer version than 4.5.14
Gregor, yes, this delay is expected for the first 24 hours. Please go to Plugins → Add New and click on the Commercial tab. Then, click the Check for updates button, and the update should appear in the list of available items.
Is this release for WPML Multilingual CMS?
Version 4.5.14
Mine is registered but I see no upgrade message?
Paul, please click Check for updates (Plugins > Add new > Commercial).
Hi
My version is 4.5.14 (I don’t understand why I do not have the 4.6 version, it was a manual update ?). Well, do I have to update too ?
And if yes, can I jump directly from 4.5.14 to 4.6 ? Or do I have to check if there is other version between this two ?
Version 4.6 is the direct successor of 4.5.14 with no intermediate releases in between.
Cécile, all our updates are automatic but sometimes you need to wait a bit until these are available to 100% of our clients. You can always see the updates immediately by going to Plugins > Add new > Commercial and clicking on the Check for updates button.
Thank you Agnes,
All is ok here !
Hi Dario, can’t see any update notification on the plugin page.
I have installed:
– WPML Media 2.7.1
– WPML Multilingual CMS 4.5.14
– WPML String Translation 3.2.3
None of them have an update notification.
Is this ok?
WPML Media 2.7.1 and WPML String Translation 3.2.3 are the recent ones. You need to update only WPML Multilingual CMS 4.5.14 – please try: Plugins > Add new > Commercial and click on the Check for updates button and you will see WPML Multilingual CMS 4.6.1 in the list of available items.
Okay, I just checked and there were no updates available.
Switched to beta search and then it was there 4.61.
I was still running 4.5x.
So with checking on updates I do not get the latest version there is.
Als i can not activate the OTGS Installer.
I’m glad that you eventually managed to switch to 4.6.1. If you use the WPML Multilingual CMS plugin you don’t need the OTGS Installer plugin. Simply go to Plugins > Add new > Commercial tab and you will get the same functionality.
Yes, that is what i did on 2 websites but there was no update available.
But both were running 4.5x.
When forcing beta search there was an update.
So i think there is some trouble with the cache somewhere or a sync with WPML data.
I have noticed this problem before.
We also had to switch from production to beta and then back to production in order to get the updates. The same issue on 20 sites. Our previous version were 4.5x.
Had you tried the “Check for updates” button” before playing with the Production/Beta switcher?
Yes, multiple times on few of the sites.
I think the issue could be that outgoing http request over port 80 is blocked by default at our hosting provider.
The first update request is made over http for http://*.cloudfront.net/wpml33-products.json where the * is a rotating/”random” subdomain (please correct me if I’m wrong)?
We have probably in the past asked our hosting provider to open up for http request for a few subdomains at Clooudfront and this will work until the subdomain changes or “rotates” back.
Is it possible for WPML to open up for initial update requests over https also? The rest of the update process seems to be over https.
Thank you for the details.
I cannot answer your question at the moment. Our developers need to look into it. I have opened an internal ticket for them to follow up. Thank you again for providing these technical details.
After consulting your request with developers, yes it is possible to open up for initial update requests over https and we will include it in our development plans. What you can do as a workaround is A) wait 24 hours after WPML releases B) Go to Dashboard -> Updates -> and click “Check again” on the WordPress Updates screen.
Hello Joel,
this looks like a result of an incomplete or interrupted update. Reuploading the plugin should solve the issue. Please let us know if that helped Joel.